On Tue, Sep 6 2022 at 10:11:54 AM -0700, Adam Williamson
<adamw...@fedoraproject.org> wrote:
i.e. it was specifically about moving away from allowing "simple
TOTP/HOTP" 2FA, as it is phishable, and requiring webauthn, of which
Vitaly's points are I believe accurate.
Yes indeed.
That said, I *think* it could be done entirely in software, as the
browser doesn't actually know whether it's talking to real hardware or
to software pretending to be real hardware, right? I don't know enough
about FIDO2 to be sure, but I assume that it should be possible to do
it. Using a hardware token is not actually the primary goal. The goal
is to programatically enforce that the authentication token is keyed to
the domain that is *actually* requesting authentication, as reported by
the web browser, so the 2FA token that gets generated for the fake
fedoraproject.org.evil would not be a valid 2FA token for the real
fedoraproject.org.
Of course, hardware authenticators would be even more secure, and it
sure seems pretty reasonable to expect that people with commit access
to Fedora packages are able to purchase a $25 or 30€ security key
[1][2]. You don't need to spend $50 for a simple security key. But this
really only makes a difference if the packager's computer is
compromised, and at that point we've probably already lost.
Any 2FA is better than no 2FA. Currently I do not have any 2FA enabled
on my Fedora account because there's no way to disable it once enabled,
and I'm afraid something will break, so I'm not brave enough to opt in.
I highly doubt I'm alone here.
Michael
[1] https://www.yubico.com/product/security-key-nfc-by-yubico/
[2] https://shop.nitrokey.com/shop/product/nkfi2-nitrokey-fido2-55
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
